experimental namespace for openid.net
George Fletcher
gffletch at aol.com
Fri Jul 10 18:58:55 UTC 2009
+1 to http://experimental.openid.net
It would be good to add this to the "repository" work Breno and John are
doing as having a registry for experimental URIs would be good as well.
Thanks,
George
Dirk Balfanz wrote:
> [+general at openid.net <mailto:general at openid.net> for a broader audience]
>
> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com
> <mailto:balfanz at google.com>> wrote:
>
> Hi guys,
>
> Google would like to launch a feature in which we're allowing our
> Google Apps hosted domains to become OpenID providers. The
> authentication part of it is pretty simple - Google is already
> logging in users to their apps, so we can also host an OP endpoint
> for those domains and send assertions back to Relying Parties.
> What is more difficult is the discovery part. We have been working
> with the XRI TC to define a XRD-based discovery protocol that
> would allow this kind of hosting of discovery documents on behalf
> of our customers.
>
> We believe that providing proof-of-concept implementations drives
> standardization processes forward, so in this spirit we want to
> launch this feature in the near future, using a discovery protocol
> that as far as we can tell meets all the requirements of what the
> XRI TC is currently converging on, but which has not been vetted
> as an official standard (it's a chicken and egg thing - without
> PoC no standards, without standards by definition no
> standards-compliant implementations).
>
> While we were tossing around ideas
> <http://markmail.org/message/ixc5led2lobdwij2>in the
> standardization committees we just used random identifiers for new
> XML namespaces, etc. that we would need for this discovery
> protocol. Now that we're about to launch we need to decide what to
> call these things. We would like to use a namespace
> in http://specs.openid.net/... because we want this kind of
> discovery protocol to be part of OpenID, but we can't really use
> them because we don't have a next-generation discovery protocol yet.
>
> So what should we use? How
> about http://experimental.openid.net/... ? That way, Relying
> Parties know that what we're trying to do is be a part of the
> OpenID community and bring the protocol forward. On the other
> hand, this would also be a signal to the RP that they're using a
> feature that has not been vetted as a standard yet.
>
> For example, a discovery document for a domain balfanz.net
> <http://balfanz.net> at Google might look like this (notice the
> "experimental" namespace and the XML elements using it):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> </ds:SignedInfo>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> MIICgjCCA...
> </ds:X509Certificate>
> <ds:X509Certificate>
> MIICsDCCAhmgAwIB...
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <XRD>
> <CanonicalID>balfanz.net <http://balfanz.net></CanonicalID>
> <Service priority="0">
> <Type>http://specs.openid.net/auth/2.0/server</Type>
> <Type>http://openid.net/srv/ax/1.0</Type>
> <Type>http://specs.openid.net/extensions/pape/1.0</Type>
> <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
> </Service>
> <Service priority="0" xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/">
> <Type>http://www.iana.org/assignments/relation/describedby</Type>
> <MediaType>application/xrds+xml</MediaType>
> <experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}
> <https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D></experimental:URITemplate>
> <experimental:NextAuthority>hosted-id.google.com
> <http://hosted-id.google.com></experimental:NextAuthority>
> </Service>
> </XRD>
> </xrds:XRDS>
>
> What do you guys think?
>
> Dirk.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
More information about the specs
mailing list